Facebook Loophole Makes Your Phone Number a Data Hacking Tool

It's that time of the month again where we urge you all to double-check your Facebook settings or face the potential for your personal data to be harvested and used nefariously by the nebulous web boogeyman.

The issue this time concerns those who have linked their Facebook accounts to their phone numbers. Software engineer Reza Moaiandin has found a security loophole that allows a person access to a user profile, opening up names, profile pictures and location data to be harvested, even if the user had previously set these details to be private.

All it takes is access to a phone number and, using a simple number-generating algorithm, Moaiandin was able to generate thousands of positive matches which (when fed into the Facebook API for devs) gave him access to a tonne of Facebook accounts.

The issue here lies with the 'Who Can Find Me?' setting, which allows anyone to find another user by their mobile number. By default, this setting is left as accessible to "Everyone/Public", so anyone with a number generator and access to the Facebook API (neither of which are hard to come by) could gobble up swathes of user data, unless vigilant Facebook users make the appropriate settings changes.

While some of the data is already publically accessible, the most worrying element is the ability to link a person to their phone number. This could lead to harassment and identity theft, and in the case of celebrities with personal Facebook accounts, trolling on frightening scale.

Moaiandin had brought the flaw to Facebook's attention back in April, but has seen little done to fix the issue, hence going public with it. Now's a good time to reassess your Facebook privacy settings then. [Salt Agency, Guardian]